Central Administration (CA)¶
Cesivi's Central Administration is a real site collection anchored at an explicit managed path.
It is the coherent home for the farm admin pages (/_admin/*.aspx — Authentication Providers, Web
Applications, Site Collections, Timer Jobs, Farm Health, etc.) rather than a loose set of admin endpoints.
CA is opt-in. With no Cesivi:CentralAdministration configuration the feature is disabled and existing
single-Web-Application deploys are byte-identical (no CA site collection, no extra routes).
Terminology. "Web Application" (WA) is the real-SharePoint farm object: a set of host bindings + auth + content databases. Cesivi seeds a single
DefaultWA out of the box. See_docs/MULTI_SERVER_DEPLOYMENT.mdand the masterplan_project/areas/multi-webapp/DESIGN.mdfor the wider multi-WA model.
Two deployment modes¶
The operator picks at deploy time which WA owns CA and at which managed path it lives.
| Mode | CA lives at | Reached via | Use when |
|---|---|---|---|
| A — CA at a managed path on an existing WA | e.g. /admin of the Default WA |
https://sp.contoso.com/admin/_layouts/15/<page>.aspx |
Simplest. One process, one listener, one auth cookie scope. Most installs. |
| B — CA on a dedicated WA | the root (/) of a CA-only WA |
https://ca.contoso.com/_layouts/15/<page>.aspx |
Hardened. CA is isolated on its own hostname (and optionally its own port + cert via PLAN-1771). |
In both modes CA is always at an explicit managed path — never a wildcard, never inferred from a URL
pattern. The [Authorize(Policy="CentralAdmin")] gate (role FarmAdmin) is unchanged in either mode:
non-admin users get 403.
Configuration¶
CA is driven by one config section, Cesivi:CentralAdministration, that both processes bind:
Cesivi.Serverseeds the CA site collection (CentralAdministrationSeeder, PLAN-1775 Phase 1).Cesivi.WebUIroutes the admin pages under the CA managed path (CentralAdministrationRouteMiddleware, PLAN-1775 Phase 2) and host-gates them against the resolved WA (PLAN-1775 Phase 2b/2c).
Set the SAME section in both appsettings.json files.
// Cesivi:CentralAdministration
{
"Cesivi": {
"CentralAdministration": {
"Enabled": true, // opt-in; false (default) => CA disabled, byte-identical
"WebApplication": "Default", // the WA that OWNS the CA site collection
"ManagedPath": "/admin" // Mode A: explicit non-root path; Mode B: "/"
}
}
}
| Field | Meaning |
|---|---|
Enabled |
Master switch. false (default) → no CA site collection, no routes, no host gating. |
WebApplication |
Name of the WA that owns CA. Mode A: usually Default. Mode B: the dedicated CA WA (e.g. CentralAdmin). |
ManagedPath |
Mode A: an explicit path like /admin. Mode B: / (CA is the WA root). |
Mode A example¶
{ "Cesivi": { "CentralAdministration": {
"Enabled": true, "WebApplication": "Default", "ManagedPath": "/admin" } } }
Browse to https://sp.contoso.com/admin/_layouts/15/authproviders.aspx → the existing Authentication
Providers admin page renders under the CA managed path, signed in as a FarmAdmin. The canonical
https://sp.contoso.com/_admin/authproviders.aspx URL keeps working unchanged.
Mode B example¶
Mode B needs a dedicated CA WA with its own host binding. Seed it in Cesivi:Farm:WebApplications
(both processes), then point CA at it:
{
"Cesivi": {
"Farm": {
// Hardened multi-WA deploy: bind the Default WA to its own host (no wildcard) and 404 unmapped hosts,
// so CA's hostname only reaches CA.
"UnmappedHostBehavior": "NotFound",
"WebApplications": [
{ "Name": "Default", "HostBindings": [ { "Host": "sp.contoso.com" } ] },
{ "Name": "CentralAdmin", "HostBindings": [ { "Host": "ca.contoso.com" } ],
"AnonymousAccess": "NeverAllowed" }
]
},
"CentralAdministration": {
"Enabled": true, "WebApplication": "CentralAdmin", "ManagedPath": "/"
}
}
}
Browse to https://ca.contoso.com/_layouts/15/authproviders.aspx → the same admin page renders.
Cross-mode isolation (how the admin URLs are NOT leaked)¶
The WebUI resolves the request host → WA name (WebUiWebApplicationResolutionMiddleware, mirroring the
server's WebApplicationResolutionMiddleware) and the CA route middleware only rewrites when the request
landed on CA's owning WA:
- Mode A, request on a host that resolves to a different WA → the admin URL is not rewritten
(downstream 404). If the Default WA has no wildcard binding and
UnmappedHostBehavior=NotFound, an unknown host such asca.contoso.com404s at the resolution middleware. - Mode B, the bare
/_layouts/15/<page>.aspxrewrite is restricted to known admin pages and fires only on the CA WA's host — a content WA's own layouts pages are never hijacked, and the same path on theDefaultWA's host 404s.
This is the Mode A↔Mode B cross-mode confusion gate (unit-proven by
CentralAdministrationRouteMiddlewareTests / WebUiWebApplicationResolverTests).
Why both processes need the config¶
The admin Razor pages run in the WebUI process; the CA site-collection seeder and the canonical
host→WA resolution run in Cesivi.Server. The WebUI therefore mirrors Cesivi:Farm:WebApplications to
resolve the request's WA itself. Keep the Cesivi:CentralAdministration and Cesivi:Farm:WebApplications
sections identical in both appsettings.json files.
What does NOT move¶
/_admin/* and /_farm/* REST/JSON probe endpoints stay at their well-known paths — they are tooling
endpoints, not user-navigable admin pages. Only the Razor admin pages are reachable under the CA managed
path; the JSON probes are unchanged so operators and scripts keep predictable URLs.
Migrating between Mode A and Mode B¶
Changing WebApplication / ManagedPath is a scheduled-downtime operation: stop the farm, edit the
config in both processes (and the Cesivi:Farm:WebApplications host bindings for Mode B), restart. The CA
seeder is idempotent, so re-seeding at the new location is safe.
Related¶
_project/plans/PLAN-1775-MultiWA-CentralAdministration.md— the implementation plan._project/areas/multi-webapp/DESIGN.md— the multi-WA / HNSC / Content-DB design._docs/MULTI_SERVER_DEPLOYMENT.md— farm / cluster deployment.